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Quantum key distribution (QKD) is often, more correctly, called key growing. Given a short 
key as a seed, QKD enables two parties, connected by an insecure quantum channel, to generate a 
secret key of arbitrary length. Conversely, no key agreement is possible without access to an initial 
key. Here, we consider another fundamental cryptographic task, commitments. While, similar to 
key agreement, commitments cannot be realized from scratch, we ask whether they may be grown. 
That is, given the ability to commit to a fixed number of bits, is there a way to augment this 
to commitments to strings of arbitrary length? Using recently developed information-theoretic 
techniques, we answer this question in the negative. 



Introduction. — Quantum key distribution [l], 0] allows 
two honest parties, Alice and Bob, to establish a shared 
secret key, using only insecure quantum communication. 
However, a necessary precondition for this to be possi- 
ble is that they have access to a pre-shared initial key, 
to be used for authentication — a fact that is sometimes 
overlooked in the literature. It is easy to see that with- 
out such an initial key, it is impossible for Alice to dis- 
tinguish between Bob and an eavesdropper pretending 
to be Bob — rendering all further security considerations 
futile. Nevertheless, once an initial key is available, this 
key can be grown, i.e., expanded to arbitrary length 

Another similar example is coin tossing. It is known 
that there is no unconditionally secure two-party protocol 
that generates a fair random coin which cannot be biased 
by a dishonest party jij. However, if the two parties have 
access to a certain number of ideal coin tosses to start 
with, they can use protocols to obtain a larger number of 
secure coin tosses. (Here, security holds in a standalone 
model, where it is assumed that the protocol is invoked 
only once (f|.) 

Following this line of thought, one may wonder 
whether other cryptographic primitives, such as com- 
mitments can be grown in a similar way. A string 
commitment protocol allows a sender to commit to a bit 
string that is revealed to a receiver at a later point. The 
protocol is secure for the sender {hiding) if the receiver 
cannot gain information about the commitment before 
she reveals it and it is secure for the receiver {binding) 
if the sender cannot change the string once committed. 
Here, we are only interested in unconditionally secure 
protocols, i.e., protocols that are secure against dishon- 
est parties with unlimited computing power. 

While it is known that unconditionally secure commit- 
ments cannot be implemented using classical or quan- 
tum communication only 0,0] (see also d, Q), this Let- 
ter strives to answer the question whether it is possible 
to implement a long string commitment with a proto- 
col that uses a smaller number of bit commitments that 
are provided as a resource. (A bit commitment is a string 



commitment of length one.) We will answer this question 
to the negative, showing that it is impossible to expand 
commitments even minimally, and even under relaxed se- 
curity criteria. 

Commitments have a wide variety of applications in 
theoretical cryptography, ranging from zero-knowledge 
proofs flfjj to secure coin tossing. In particular, com- 
mitments can be used to implement statistically secure 
and universally composable oblivious transfer [Ill4l3j . a 
functionality that is sufficient to realize universal secure 
two-party computation [14j . 

In [l5| it has been shown that unconditionally secure 
oblivious transfer cannot be extended using quantum 
protocols. We note that this already imposes certain 
bounds on the resources that can be obtained from a 
limited number of bit commitments 16]. Furthermore, 
bounds on the quality of commitments for relaxed secu- 
rity definitions have been shown in 17 -III. Conversely, 
it has been shown that secure commitments can be im- 
plemented in relativistic settings involving multiple sites 
[201 ] or using trusted resources such as a noisy channel 21 1 
or (trusted) distributed randomness (22, 23 1. 

We now proceed with a more detailed specification of 
string commitment as well as the class of protocols we 
consider. We then briefly review the smooth entropy cal- 
culus, which is required for our technical arguments. Our 
main result that commitments cannot be grown is stated 
as Theorem [TJ This is supplemented with an alternative 
version of the claim, which applies if the initial function- 
ality enables committing to quantum bits. 

String Commitments. — A (classical) string commit- 
ment of length I is a functionality that takes a bit string 
x G {0, 1} from the sender and outputs the message 
committed to the receiver. Later, on input open from 
the sender, the functionality sends x to the receiver. 

In the following, we consider implementations of this 
task by quantum protocols between two parties, Alice 
(who holds system A) and Bob (B). They have access 
to a noiseless quantum and a noiseless classical channel, 
as well as to an additional resource, C (to be specified 
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later). In any round of the protocol, the parties may 
perform an arbitrary quantum operation on the system 
in their possession conditioned on the available classical 
information |24j ] - this includes generating the input 
for the available communication interfaces. The use of 
the quantum channel then corresponds to a party trans- 
ferring a part of her system to the other party. The 
classical channel measures the input in a canonical basis 
and sends the outcome to the receiver. We assume that 
the total number of rounds of the protocol is bounded 
by some finite number. By padding the protocol with 
empty rounds, this corresponds to the assumption that 
the number of rounds is equal in every execution. 

A string commitment scheme over strings of length £ 
generally consists of two phases. In the first, the commit 
phase, the sender commits to an ^-bit string x. Later, 
in the opening phase the sender reveals x to the receiver. 
The total system (consisting of the subsystems controlled 
by Alice and Bob) is assumed to be in a pure state ini- 
tially. By introducing an additional space the quantum 
operations of both parties can be purified, i.e., we can 
assume that the parties apply, conditioned on the in- 
formation shared over the classical channel, isometries to 
their systems. Thus, we will assume in the following that 
the state at the end of the commit phase conditioned on 
all the classical communication is pure. 

Security Definitions. — Our main technical contribu- 
tion will be a quantitative statement on the impossibil- 
ity of growing string commitments. To formulate this 
statement, we introduce two definitions that capture the 
cheating probability of Alice and the information gain 
of Bob, respectively. We emphasize that the properties 
required in these definitions are only necessary (we there- 
fore call the definitions "weak"), but would not be suf- 
ficient for the security of a protocol [25]. Since we are 
interested in the impossibility of certain protocols, this 
only strengthens our results. 

Using a commitment protocol, a (quantum) Alice can 
always commit to a superposition of strings 0, [2(| as 



follows: she prepares a state 



Ess* \x)x <8> \x)x> 



where X is a subset of the i-hit strings. Then she hon- 
estly executes the commit protocol with the first half of 
this state as input and keeps the system X' . We denote 
the resulting joint state of Alice, Bob and the resource 
system by Pa'bc wn ere A! stands for XX' A. Later, 
Alice can measure X' and execute the opening phase of 
the protocol with the resulting string x. Thus, even for 
a perfectly binding commitment scheme, we cannot re- 
quire that there is a fixed value x Alice is committed to 
after the commit phase. Rather, we can only demand 
that Exe{o i}" P x — 1 w here p x is the probability that 
Alice successfully reveals some x in the opening phase. 

In order to quantify the degree of bindingness of a pro- 
tocol, we consider the following attack by Alice. First, 
she commits to a superposition of strings from a set 



Xq Q {0, 1} as before. Then, she tries to map (by a lo- 
cal transformation £ a on her system) the resulting state 
Pa'bc t° Pa'bc corresponding to the commitment to a 
set X\ C {0, 1}^ which is disjoint from Xq. Such an attack 
is successful with probability at least A if the protocol 
cannot detect the transformation with probability more 
than 1 — A. Using the trace distance, D(p,r) := ^ |jp — rjj i , 
this can be turned into a necessary condition for security, 
formulated in terms of the closeness of the transformed 
state, (£a> <8> 1 B c)(p*?bc)' to tne target state Pa^bc 

Definition (Weakly A-binding) . We call a commitment 
scheme weakly A-binding if 



min min D 



((£A'®tuc)( P % BC ),P% BC ) >1 



where Xq and X\ are disjoint sets of strings from {0, l} e 
and £a' is a completely positive trace preserving map 
acting on Alice's system. 

To define the hiding property, we consider the joint 
state Pab °f Alice's and Bob's systems that results from 
an execution of the protocol where both parties are hon- 
est and Alice commits to x. For a commitment scheme 
to be e- hiding, we require that D(p x B ,p x B ) < e for any 
x,x' . This immediately implies the following (necessary) 
security condition. 

Definition (Weakly e- hiding). A bit commitment pro- 
tocol is weakly e-hiding for uniform X if the marginal 
state pxb after the commit phase is e-close to a state 
where X is uniform with respect to B, i.e., 

mm D(pxB, T^rt x <3 o- B ) < e . (1) 

"B |A | 

Smooth Entropies. — Our proof is based on the insight 
that every conceivable protocol that aims to extend bit 
commitment allows for an attack, which can be estab- 
lished using known results on privacy amplification and 
the smooth entropy formalism. (Privacy amplification 
has also been used in [18[ to construct attacks on com- 
mitment schemes.) The detailed proofs of the technical 
statements can be found in [27j ]. 

Let pxb = J2 X P( x )\ x )( x \ ® Pb ^ e a classical-quantum 
(CQ) state. Then the min-entropy of X conditioned on 
B, denoted H min (X\B) p , corresponds to the negative log- 
arithm of the probability of guessing X correctly from a 
quantum memory B [281 ] . The smooth min-entropy of 
a state is defined as H^ in (X\B) p '■— m&Xp H min (X\B)p, 
where the optimization is over all (sub-normalized) states 
e-close to pxb m terms of the purified distance, which 
corresponds to the minimum trace distance between their 
purifications. The purified distance between two states, 
p and p, is upper bounded by ^2D(p, p) 29]. 

The leftover hash lemma against quantum side infor- 
mation [3(| (see also [3l|) asserts that the smooth min- 
entropy of H^ in (X\B) p characterizes the amount of uni- 
form randomness that can be extracted from X with 
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respect to the quantum side information B. A conse- 
quence of this is the following fact: for any CQ state 
Pxb = y Eie{o i}« \ x )( x \ ® Pb there exists a function 
/ : {0, 1} £ -> {0, 1} such that 

D{& Xa ,& Xl ) < 2e+y/2 1 - H ^ x \ B )» , (2) 

where p£* z = \ f -\^ E a g/-i(») Pb- 

In order to derive bounds on the conditional min- 
entropy when the conditioning system is manipulated, 
we use the following data-processing inequalities. Let 
Pxbc be a CQ state, where C is an additional quan- 
tum register with dimension |C|. Then, the min-entropy 
H^^XIBC) p cannot increase by more than log \C\ when 
a projective measurement C — > Z is applied, 

H^(X\BC) P > H^(X\BZ) p - log \C\ . (3) 

Moreover, if the classical register Z is discarded, we have 

H^ in (X\BZ) p > H^ in (X\B) p - log \Z\ . (4) 

The following fact, also used in the proofs of (3, M. l32| . 
is an essential building block of our impossibility proofs: 
let 4> AB and (j> AB be two pure states corresponding to 
the joint state of Alice and Bob when committing to '0' 
and '1', respectively. If the marginal state of <j> AB and 
4> AB on Bob's system is (almost) the same, then there ex- 
ists a unitary Ua on Alice system that (approximately) 
transforms 4>° AB into (f> AB > Le -> ( u a ® l B )\<l> AB ) ~ I^ab)- 
This reasoning can be generalized to joint states p\ AYB 
that are pure conditioned on all the classical informa- 
tion Y available to both Alice and Bob as follows. If 
D(Pyb> Pyb) — £ ; then there exists a unitary Uya such 
that 

D(U YA Pyayb U ya , Pyayb) < ^ > (5) 

where we omitted the identity operator on YB. 

Main Result — One can trivially implement a string 
commitment of length n from n bit commitments. Fur- 
thermore, it is easy to see that, using a resource which 
allows the parties to commit to n qubits, one can imple- 
ment n individual commitments to two bits each using 
superdense coding (33[, and, therefore, also a string com- 
mitment of length 2n. Our main result essentially states 
that these two trivial implementations are essentially op- 
timal. 

More precisely, we first consider implementations of 
string commitments based on a functionality that en- 
ables n perfect (classical) bit commitments. We show 
that the length of the implemented string commitment 
is approximately upper bounded by n if this is required 
to be highly binding and hiding. 

Theorem 1. Every quantum protocol which uses nA bit 
commitments from Alice to Bob and n B bit commitments 



from Bob to Alice with n = nA+n B as a resource and im- 
plements an e -hiding and A-binding string commitment 
of length £ must satisfy 

I < n - 21og ~~ 4 A ) - V2e^j - 1 . 

In particular, if A = e < 0.01, then £ < n + 6. 

Proof. In the following, we construct an attack by Alice 
on a modified protocol that does not use the resource 
bit commitments and is not necessarily hiding. In this 
protocol we make Bob more powerful in the sense that 
he can simulate the original protocol locally. Thus, any 
successful attack of Alice against the modified protocol 
implies a successful attack against the original protocol. 

In the modified protocol, Alice, instead of using the 
resource bit commitments, measures the bits to be com- 
mitted, stores a copy and sends them to Bob, who stores 
them in a classical register, Ca- When one of these com- 
mitments is opened, he moves the corresponding bit to 
his register B. Bob simulates the action of his commit- 
ments locally as follows: instead of measuring a register, 
Y, and sending the outcome to the commitment func- 
tionality, he applies the isometry U : \y}y H> \yy)YY' pu- 
rifying the measurement of the committed bit and stores 
Y' in another register, C B . When Bob has to open the 
commitment, he measures Y' and sends the outcome to 
Alice over the classical channel. Furthermore, the state 
conditioned on the classical communication is again pure. 

Let pxabc = J2x \ x )( x \ ® P\bc-> wn ere C stands 
for CaC b , be the state resulting from the execution of 
the modified protocol when the input X of Alice is uni- 
formly distributed. Its marginal state, pxab, is the cor- 
responding state at the end of the commit phase of the 
original commitment protocol. The state pxb must be 
weakly e-hiding. Thus, by the definition of the smooth 
min-entropy and setting e := V2e, we get 

Hi in (X\B) p >log\X\=£. (6) 

Therefore, inequalities ((3]) and ((4]) imply that 

Hi in (X\BC A C B ) P > Hi in (X\B) p - n >£-n. (7) 

From © we know that there exists a function / such that 
DipfcPsh) < 25, where 5 := e + ± ^2 1 - h ^(x\bc) p 
and p B ' c — \ f-l( z <)\ Ea;e/-i(z) Pbc- or der to construct 
a concrete attack, let Alice choose a bit z and commit to 
a uniform superposition of all strings x with f(x) = z. 
Then the resulting joint state p A f BC at the end of the 
commit phase is pure conditioned an all the shared classi- 
cal information. According to ([S]) there exists, therefore, 
a unitary U a 1 on Alice's system that transforms Pa'bc 
into a state which is 2\/S-c\ose to Pa/bc m terms of the 
trace distance. The definition of weakly A-binding im- 
plies that 1 — A < 2^/5 and, together with ([7]), the state- 
ment follows. □ 
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Next, we consider protocols which use a quantum com- 
mitment functionality that allows the parties to commit 
to (and later reveal) n qubit states. By slightly modify- 
ing the proof of the theorem, we show that there cannot 
exist a protocol that uses such a resource and implements 
a string commitment of length larger than 2n. We con- 
sider again a modified protocol, where Bob simulates the 
resource system as follows: Alice, instead of using the 
resource, sends the committed qubits to Bob, and Bob 
keeps all the qubits that he would send to the commit- 
ment functionality in the original protocol in a register, 
C. Let pxabc be the joint state after the execution of 
the commit phase when Alice's input X is uniformly dis- 
tributed. We have H^JX\B) p > \og\X\ = t as in ©. 
Inequalities ((3|) and (j4)) together imply that conditioning 
on an additional quantum system C cannot decrease the 
smooth min-entropy by more than 2 log |C|. Thus, we 
have 

H e min (X\BC) p > H s min (X\B) p - 21og|C| =£- 2n . (8) 

Now we proceed as in the proof of the main theorem to 
get 

£< 2n-21og ^ 1 ~ 4 A ^ (9) 

Note that the same reasoning applies to any resource 
which can be simulated by Bob such that the resulting 
state at the end of the commit phase is pure conditioned 
on all the classical communication and the simulated re- 
source uses an additional memory of size at most log \ C\. 
Thus, inequality ^ holds for arbitrary such resources 
with log \C\ < n. 

Conclusions — We proved that it is impossible to use a 
small number of bit commitments as a resource to imple- 
ment a larger string commitment that is both arbitrarily 
binding and hiding. This is in stark contrast to corre- 
sponding positive results for other cryptographic primi- 
tives, such as quantum key distribution or coin flipping, 
where the resource of interest, once available in finite 
number, can be enlarged ad infinitum. 

The techniques we use to show our impossibility results 
can be applied to prove more general results on the possi- 
bility and efficiency of two-party cryptography. In partic- 
ular, they can be used to prove bounds on the efficiency 
of implementations of string commitments from obliv- 
ious transfer and, more generally, from resources that 
distribute trusted correlations to the parties. Moreover, 
the impossibility results on implementations of oblivious 
transfer presented in [l5| can be improved using these 
techniques. 
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APPENDIX 



Section A contains general definitions and technical lemmas related to distance measures and the smooth entropy 
calculus, as needed for our work. In Section B we present the full proofs of our main results. 



A. Preliminaries 



We restrict our attention to finite-dimensional Hilbert spaces TL. We use V{rl) to denote the set of positive semi- 
definite operators on TL. We define the set of normalized quantum states by S = (ri) := {p G V(H) : tr p = 1} and 
the set of sub- normalized states by S<(H) := {p G V(H) : < tr p < 1}. Given a state pab G S = (H a ® rl B ) we 
denote by pa and ps its marginal states pa = ^b(pab) and ps = ^a(pab)- We define the fidelity between two states 
p, t G S=(p) as F(p,r) — I -v/p-v/rH l • For p, r G S=(rl A ), we define the trace distance between p and r as 

D(p,r) :=^\p-t\x. 

For b G {0, 1}, let p b XB = J2 X \ x )( x \ ® PB b De classical-quantum (CQ) states. Then we have (see [3(| for a proof) 

\p Q xb-P 1 xb\\i = Y,\p X b-Pb%- ( 10 ) 

xex 

Definition 2. For pab G S = (TL A b) we define the distance from uniform of A conditioned on B as 

A(A\B) P := mm D(p AB , ua <S> <j b ) , (11) 

where lja '■= 1a/ dim"H A and the minimum is taken over all as G S = (H B ). 
Lemma 3. Let pxB = J2 x e{q 1} ^I^X^I ® Pb be a CQ state and A(X\B) p < e. Then 

D(p° B ,p 1 B )<2e. 

Proof. D{pxb,<^a <X> (Tb) < £ implies 

\\p°B ~ Pb\x < \\P°B - vb\i + \\Pb - <tb\i < 4e 

where we used PH|) and, therefore, we have D(p B ,p B ) <2e. □ 

Furthermore, we will make use of the following well-known technical lemma which is also used in [tl I?! |32|. 

Lemma 4. Let \4>ab) an ^ Wab) ^ e s ^ a ^ es with D(p Bl p B ) < e where p x B — tr A | , 0^ B )(-0^ B |. Then there exists a 
unitary U a such that 

D(\4>ab)(4>abMb)^ab\) <^ 

with 4 > \b = ( u a ® Ib)]^)- 
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Proof. D(p B ,p B ) < e implies F(p B ,p B ) > 1 — e. From Uhlmann's theorem we know that there exists a unitary Ua 
such that F{\(j>\ B ){4> i AB \, \iP\ B ){ ^ AB \) > 1 - e where \^ AB ) = (U A ® 1 B )|V>%)- Since D( P ,t) < ^1-F(p,r) 2 for 
any p, r e S=(H) [35|, we have ^1 - ^(P^K^abE I^abK^abI) 1 > 1 ~ e - Hence, 



□ 

Lemma |4] can be generalized to states which are pure conditioned on all classical information available to both A 
and B in the following way. 



Lemma 5. For b £ {0, 1}, let 

Pxx'AB =^2 p b(x)\x)(x\ x <8> |a:)(a;|x' <g> \iPab)(^ab\ 



with D(p x , B , Px'b) — £ - Then there exists a unitary U ax such that 

D(p'xx'ABi Pxx'ab) < 2e 
where p xx >ab = { u xa ® Ix>b)p°xx>ab( u xa ® Irs)'- 



Proof. Define |V>xx'X"Ab) := \/-R.(x)|x)x ® |a:)x' ® |#)x" ® U>ab) and let 

PX'X"B — tr xA(|Vxx'X"AB)(VxX'X"ABl)- 

Then 

d (Px'X"b,Px'X"b) = d (Px'b,Px'b) < e 
Thus, Lemma U implies the existence of a unitary V ax such that 

d {\4>xx>x>>ab){&xx>x>>ab\Mxx>x>>ab){' 1 1>xx>x"Ab\) < 

with \<f>xx' X" ab) = (^ax ® 1x'X"b)|V , xX'X"Ab)' The statement then follows from the fact that taking the partial 
trace over X" cannot increase the trace distance and commutes with the unitary Uax a s follows. Let Pxx'AB = 
{Uxa®^x'b)Pxx'Ab{ u xa®^x'bV- Then 

D((U X A ® 1x'b)pxx'Ab(C / xa ® lx'B) f , Pxxmb) 

= D(([/xa ® lx'B)tr x „(p xx , x „ AB )(;7 X A ® lx'B) t ,tr x „(p^ x , x „ AB )) 

= L»(tr x „((C/xA ® 1x'X''b)pxx'X''Ab(^x.4 ® 1x'x»b) + ), tr x . (Pxx'x«ab)) 

< D((U X A ® 1x'X»b)PxX'X»Ab( C/ X j 4 ® ljf'X"B) t ,PxX'X''AB) 

< \/2e 

□ 

We define the non-smooth min-entropy as follows. 
Definition 6 (Min- Entropy). 

H min {A\B) p := max sup {A € E : 2~ A 1 A ® <r B > PAB } . 

Then we define the smooth version of the min-entropy of a state p as an optimization of the non-smooth entropy 
over a set of states that are close to p. As a distance measure between two states we use the purified distance, which 
corresponds to the minimum trace distance between purifications of these states [5^] . 

Definition 7 (Purified Distance). For p, r £ S<(H), we define the purified distance between p and r as 



2 



P( P ,t) :=^l-F{p,r) 

where the generalized fidelity F is defined as F(p, r) = F(p, r) + y(T— trp)(l — trr). Note that P(p, r) = P(p, r ) if 
at least one of the states is normalized. 
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Let e > and p £ S<{'H) with \/trp > e. Then, we define an e-ball in % around p as 

B%H;p) :={reS<(H):P(T,p)<e}. 

The smoothed version of the min-entropy is defined as follows. 

Definition 8 (Smooth Min-Entropy). Let e > and pab € S< (H AB ), then the s-smooth min-entropy of A conditioned 
on B of pab is defined as 

H^ n {A\B) p :=_ max ff min (A|B)p . 

A family J 7 of functions from A" to Z is called weakly two-universal [36| if for any pair of distinct inputs x and x' 
the probability of a collision /(a;) = f[x') is at most 1/|Z| if / is chosen at random from T . The following lemma [3(3] 
(see also [3lj ) shows that weak two- universal hash functions are strong extractors against quantum side information, 
i.e., the output of the function is uniform with respect to the side information and the choice of the function. 



Lemma 9 (Leftover Hash Lemma). Let T be a family of weak two-universal hash functions from X to {0,1}. 

l 



Let pxB = J2 X P(x)\x){x\ ® Pb be a CQ state and pfzb = t^t J2f J2 Z !/)(/! ® \ z )( z \ ® Pb wit ^ z e {0) 1} an ^ 



P f B Z =E x ef-Hz) P ( x )PB- Th 



en 



A(Z\BF) p < e + ^2 1 - H ^ X \ B ) P . 

Lemma 10. Let pxB — 12 x e{o i} e \ x )( x \ ® Pb be a CQ state. Then there exists a function f : {0, 1} — > {0, 1} in 
T such that 

where p f / = lf -\ z) \ E* e /-i( z ) Pb- 

Proof. Let J 7 be a family of two-universal hash functions / : {0, l} e — > {0,1} such that every / is balanced, i.e., 
\{x g {0, l} e : f{x) = 0}| = 2 f_1 . From Lemmalwe know that 

A(Z\BCF) p < 5 

where 5 := e + ^V2 1 - H ^ ( - X \ B ^" and Z := f(X). Thus, there must exist a function / G T such that A{Z\B) p[f] < S. 
For z e {0, 1} let 



From Lemma[3]we then have D(Pbc> Pbc) — ^5- d 

The following lemma shows that the conditional min-entropy H^ nin (A\B) p can decrease by at most log|Z| when 
conditioning on an additional classical system Z. 

Lemma 11. Let e > and let pabz be a tripartite state that is classical on Z with respect to some orthonormal basis 
{\z)} z . Then 

H^ in (A\BZ) p > H^ iD (A\B) p ~ log \Z\. 

Proof. Let pab be the state that optimizes the min-entropy H^ ; „(A\B)n = H min (A\B) p . Then, there exists an 
extension pabz of pab that is e-close to pabz and classical on Z. See [29j, where it is shown that there always 
exists an £-close extension and that the purified distance can only decrease under a measurement in the Z basis. Let 
Pabz = Pab ® \ z )( z \ so that p z AB < pab for all z. By the definition of the min-entropy, we have 

Pab < Pab < 2- H -» (A|s) l A ® o-b 

for the optimal o~b- Hence, 

Pabc = Y.~Pab® \zM < 2- H ^ A ^ B H A ®a B ®t*. 

The lemma now follows from the definition of the min-entropy H^ nin (A\BZ) p , where pabz and obz = &b ® 

are candidates for the optimization. □ 
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The following lemma shows that the min-entropy H^ nin (A\BC) p cannot increase too much when a projective mea- 
surement is applied to system C. 

Lemma 12. Let e > and let pabc be a tri-partite state. Furthermore, let M be a projective measurement in the 
basis {\z)} z on C and pabz -=^ab ® ■M(pabc), where Tab is the identity operation on A and B. Then, 

H^ in (A\BC) p > Hl in {A\BZ) p - log |Z| . 

Proof. Let U : \z) c n- \zz) zz r be the isometry purifying M. in the sense that pabz = ^z'(pabzz'), where pabzz' '■ = 
UpabcU* . Covariance under isometries of the smooth min-entropy implies 

H^ in (A\BC) p = H^ in (A\BZZ') p . 

Moreover, for some states pabz and obz, we have 

H e min {A\BZ) p = sup {A G K : pabz < 2~ A 1 A ® a BZ } 

< sup { A G K : pabzz' < 2~ A |Z| 1 A 8 a BZZ , } (12) 
<H^ in (A\BZZ') p +\og\Z\. 

Here, pabzz' is an extension of Pabz that is e-close to pabzz' and satisfies Tlzz'Pabzz'TI-zz' = Pabzz', where 
TLzz 1 '■= X^z \ zz ){ zz \w- The existence of such an extension can be deduced from the fact that projections can only 
decrease the purified distance [2{| and Tizz' commutes with pabzz 1 ■ Furthermore, obzz 1 '■= Tlzz'{&bz ® ^z-)Tlzz'- 
The last inequality follows since pabzz 1 and gbzz' are candidates for the optimization of the min-entropy. It remains 
to show the implication 

Pabz < 2~ A 1 A <8 o BZ =*> Pabzz 1 < 2~ A |Z| 1 A ® ~o B z ® l z - (13) 

which in turn implies (1121) . However, (| L3[) follows from the fact that, for any extension Xab of a positive operator Xa, 
it holds that Xab < |B| ® 1 B . Since has a spectral decomposition with positive coefficients, it is sufficient to 
show this property for pure normalized states \ip)(?p\ AB . The general property then follows by taking the weighted sum 

on both sides of the inequality. Let ta := ti B (\ip)(ijj\ AB ) and Tab '■= (t a 2 <8> t B )\ip)(ip\ A -B {t a 2 <8> 1 B ), where the inverse 

is taken on the support of ta- Since Tab is of rank 1, its maximum eigenvalue is tv(T A B) = rank{ ta} < min{|A|, |B|} 

i 

and, thus, Tab < |B| 1 AB - Hence, by conjugation of both sides with r| follows \ip)(ip\ AB < |B| ta®1 b . This concludes 
the proof. □ 

The following lemma, which shows that conditioning on an additional quantum system C cannot decrease the 
conditional smooth min-entropy by more than 2 log |C|, follows immediately from Lemmas 1111 and 1121 

Lemma 13. H^ n (A\BC) p > H^,JA\B) p - 2 log \C\. 



B. Main Results 



(Classical) Bit Commitment Resource 

Theorem 14. Every quantum protocol which uses ua ( classical) bit commitments from Alice to Bob andns ( classical) 
bit commitments from Bob to Alice with n — ha + as a resource and implements an e-hiding and A-binding string 
commitment of length at most 

£<n-2log( ^—^ -V2e^ -1. 
In particular, if A = e < 0.01, then £ < n + 6. 

Proof. Let |x)(ac| <8> Pabc the state resulting from the execution of an e-hiding commitment protocol when the 
input of Alice is x. Then pxabc — IF'I^X 3 '! ® Pabc ^ s ^ ne state resulting from an execution where the committed 
string X is uniformly distributed. Let s := \f2e. Since pxb is e-close to uniform and P{p, p') < ^2D(p, p') (29[, the 
definition of the smooth min-entropy implies that 

Hi lin (X\B) p >\og\X\=£. 
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In the following, we consider a modified protocol that does not use the resource bit commitments. In this modified 
protocol Alice, instead of using the resource bit commitments, measures the bits to be committed, stores a copy 
and sends them to Bob, who stores them in a classical register Ca- When one of these commitments is opened, 
he moves the coresponding bit to his register B. Bob simulates the action of his commitments locally as follows: 
instead of measuring a register, Y , and sending the outcome to the commitment functionality, he applies the isometry 
U : \y)y >-> \vu)yy' purifying the measurement of the committed bit and stores Y' in register C B - When Bob has to 
open the commitment, he measures Y' and sends the outcome to Alice over the classical channel. Note that we make 
Bob more powerful in this modified protocol because he can simulate the original protocol locally. Thus, any successful 
attack of Alice against the modified protocol implies a successful attack against the original protocol. Since we only 
make use of the modified protocol to construct an attack against Bob, the modified protocol does not have to be 
hiding. Furthermore, the state conditioned on the classical communication is again pure. Let |:r) (x| <S> p x AB be the state 
resulting from the execution of the modified protocol when the input of Alice is x. Then pxAB = Yl x w\ x }( x \ ® Pas 
is the state resulting from an execution where the committed string X is uniformly distributed. From Lemma [TU1 we 
know that there exists a function / : {0, 1} 1 — > {0, 1} such that 



where p%' c = ^ E ie /-i (z ) Psc> 5 '■= g + \^2 1 - H ^ X \ BC *>» and C stands for C A C B - Let z <E {0, 1} and let Alice 
prepare the state 

and honestly executes the commit protocol with the first half of this state as input. Let P^ BCaCb 

= Pxx 'ABCaCb 

be the resulting joint state at the end of the commit phase. Then we have ^a'(Pa'bc a c b ) ~ Pbc a c b anc ^ therefore, 
Lemma [5] then implies that there exists unitary Ua such that 

D(Pa'bc a c b , Pa'bc aCb ) < (14) 
where P^bc a c b ~ Q^ A ' ® ^)Pa'BC a c b (^ a ' ® 1b)^- Lemmas HT1 and [T2l imply that 

H^ n (X\BC A C B ) p > Hi in (X\BC B ) p - n A 
>Hi in (X\B) p -n 

>£-n (15) 

Thus, we have 



1 - A < 2V& = 2\/e + ^2 1 - h "^(x\bc a c b)p 



< 2^e+ -V2 1 ^+™ 

where we used the definition of weakly A-binding and inequalities (| 14[) and (fT5j) . □ 



Quantum Resource 

Next, we consider implementations of string commitments from a functionality which allows the players to commit 
to (and later reveal) n qubit states. The following theorem shows that there cannot exist a protocol using such a 
resource which implements an arbitrarily hiding and binding string commitment of length larger than 2n. 

Theorem 15. Every quantum protocol which uses a resource, which allows the players to commit to (and later reveal) 
n qubit states and implements an e-hiding and A-binding string commitment of length i must have 

£< 2n-21og ( ^ 1- 4 A ^ - v 7 ^) - 1- (16) 
In particular, if A = e < 0.01, then £ < 2n + 6. 
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Proof. Let \x)(x\ <8> Pabc ^ e the state resulting from the execution of an e-hiding commitment protocol when the 
input of Alice is x. Then pxabc = J2x w\ x )( x \ ® Pabc is the state resulting from an execution where the committed 
string X is uniformly distributed. Let i :— \f2e. Since pxb is e-close to uniform and P(p, p') < ^2D(p, p') (29[, the 
definition of the smooth min-entropy implies that 

Hi in (X\B) p >log\X\=l 

From Lemma [T51 we have 

H s min (X\BC) p > Hf nin (X\B) p - 21og|C|. (17) 
From Lemma [TU] we know that there exists a function / : {0, 1} — > {0, 1} such that 

D(p^ c ,pf c )<2S 

where pg z c = Y^,xef- 1 (z) Pbc an< ^ + |V 2 1 ~ H ^^ x],BC ^p . Let z g {0, 1} and let Alice prepare the state 

-±= \*)x®\x)x> 

and honestly execute the commit protocol with the first half of this state as input. Let Pa>bc = Px'x'ABC ^ e the 
resulting state. Then we have tr A , {p^'bc) = Pbc an dj therefore, Lemma [5] implies that there exists a unitary Ua' 
such that 

D(p%bc>Pa'bc)<^ (18) 
where p X A ) B z c — (Ua 1 ® ^-BCiP^BC^P^ ® 1bc)L This implies that 



1 - A < 2VS = 2 x li+^2 1 - H ^WBC) P 



< 2\je+ -V2 1 - e + 2 *' 



< 2\/V27 + 2-^- 2 " +1 ) 



where we used the definition of weakly A-binding and inequalities (|17[) and (fT8|) . □ 

Note that the proof of Theorem [15] only uses the fact that the resource could be simulated by Bob such that the 
resulting state at the end of the commit phase is pure conditioned on all the classical communication and the simulated 
resource uses an additional memory of size at most log \ C'\. Thus, inequality (|16[) holds for arbitrary such resources 
with log | C| < n. A simple example of such a resource would be a functionality which generates a tripartite state 
\<I>)abc an d gives system A to Alice and B to Bob. 

I 



